Azure AD authenticates an identity such as a user, group, or service principal with role-based access control (RBAC). You can define custom RBAC roles that encompass common sets of permissions used to access Azure Files. When you assign your custom RBAC role to an Azure AD identity, that identity is granted access to an Azure file share according to those permissions.

As part of the preview, Azure Files also supports preserving, inheriting, and enforcing NTFS DACLs on all files and directories in a file share. If you copy data from a file share to Azure Files, or vice versa, you can specify that NTFS DACLs are maintained. In this way you can implement backup scenarios using Azure Files, preserving your NTFS DACLS between your on-premises file share and your cloud file share.

Note

Azure AD authentication over SMB is not supported for Linux VMs for the preview release. Only Windows Server VMs are supported.

Azure Role Based Access Control (RBAC)
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. For more information on RBAC, see What is role-based access control (RBAC) in Azure?

Kerberos authentication

Kerberos is an authentication protocol that is used to verify the identity of a user or host. For more information on Kerberos, see Kerberos Authentication Overview.

Advantages of Azure AD authentication

Azure AD over SMB for Azure Files offers several benefits over using Shared Key authentication:

Extend the traditional identity-based file share access experience to the cloud with Azure AD
If you plan to "lift and shift" your application to the cloud, replacing traditional file servers with Azure Files, then you may want your application to authenticate with Azure AD to access file data. Azure Files supports using Azure AD credentials from domain-joined VMs over SMB to access file shares, directories, or files. You can also choose to sync all of your on-premises Active Directory objects to Azure AD to preserve usernames, passwords, and other group assignments.

Enforce granular access control on Azure file shares
With Azure AD authentication over SMB, you can grant permissions to a specific identity at the share, directory, or file level. For example, suppose that you have several teams using a single Azure file share for project collaboration. You can grant all teams access to non-sensitive directories, while limiting access to directories containing sensitive financial data to your Finance team only.

Back up ACLs along with your data
You can use Azure Files to back up your existing on-premises file shares. Azure Files preserves your ACLs along with your data when you back up a file share to Azure Files over SMB.

How it works

Azure Files uses Azure AD Domain Services to support Kerberos authentication with Azure AD credentials from domain-joined VMs. Before you can use Azure AD with Azure Files, you must first enable Azure AD Domain Services and join the domain from the VMs from which you plan to access file data. Your domain-joined VM must reside in the same virtual network (VNET) as Azure AD Domain Services.

When an identity associated with an application running on a VM attempts to access data in Azure Files, the request is sent to Azure AD Domain Services to authenticate the identity. If authentication is successful, Azure AD Domain Services returns a Kerberos token. The application sends a request that includes the Kerberos token, and Azure Files uses that token to authorize the request. Azure Files receives the token only and does not persist Azure AD credentials.

Enable Azure AD authentication over SMB

You can enable Azure AD authentication over SMB for Azure Files on your new and existing storage accounts created after September 24, 2018.

Before enabling Azure AD authentication over SMB, verify that Azure AD Domain Services has been deployed for the primary Azure AD tenant with which your storage account is associated. If you have not yet set up Azure AD Domain Services, follow the step-by-step guidance provided in Enable Azure Active Directory Domain Services using the Azure portal.

Configure share-level permissions for Azure Files

Once Azure AD authentication has been enabled, you can configure custom RBAC roles for Azure AD identities and assign access rights to any file shares in the storage account.

When an application running on a domain-joined VM tries to mount an Azure file share or access a directory or file, the application's Azure AD credentials are verified to ensure the proper share-level permissions and NTFS permissions. For information about configuring share-level permissions, see Enable Azure Active Directory authentication over SMB (Preview).

Configure directory- or file-level permissions for Azure Files

Azure Files enforces standard NTFS file permissions at the directory and file level, including at the root directory. Configuration of directory- or file-level permissions is supported over SMB only. Mount the target file share from your VM and configure permissions using the Windows
icacls or Set-ACL command.

Note

Configuring NTFS permissions through Windows File Explorer is not supported in the preview.

Use the storage account key for superuser permissions

A user possessing the storage account key can access Azure Files with superuser permissions. Superuser permissions surpass all access control restrictions configured at the share level with RBAC and enforced by Azure AD. Superuser permissions are required to mount an Azure file share.

Important

As part of best practices for security, avoid sharing your storage account keys, and leverage Azure AD permissions whenever possible.

Preserve directory and file ACLs for data import to Azure file shares

Azure AD authentication over SMB supports preserving directory or file ACLs when you copy data to Azure file shares. In the preview release, you can copy the ACLs on a directory or file to Azure Files. For example, you can use robocopy with flag /copy:s to copy both data and ACLs to an Azure file share.